NIST: Updated Computer Security Incident Handling Guide

Wednesday, August 15, 2012

The National Institute of Standards and Technology (NIST) has published the final version of its guide for managing computer security incidents.

Based on best practices from government, academic and business organizations, this updated guide includes a new section expanding on the important practice of coordination and information sharing among agencies.

During the chaotic first minutes when a computer system is under attack, having a well-prepared incident response plan to follow ensures that steps such as alerting other agencies or law enforcement occur in the correct order.

The revised NIST guide provides step-by-step instructions for new, or well-established, incident response teams to create a proper policy and plan. NIST recommends that each plan should have a mission statement, strategies and goals, an organizational approach to incident response, metrics for measuring the response capability, and a built-in process for updating the plan as needed. The guide recommends reviewing each incident afterward to prepare for future attacks and to provide stronger protections of systems and data.

"This revised version encourages incident teams to think of the attack in three ways," explains co-author Tim Grance. "One is by method—what's happening and what needs to be fixed. Another is to consider an attack's impact by measuring how long the system was down, what type of information was stolen and what resources are required to recover from the incident. Finally, share information and coordination methods to help your team and others handle major incidents."

A draft version of the guide covered agencies sharing and coordinating information, but public comments called for more detailed information in this area, and the authors added a section on this topic to meet the requests. The guidance suggests that information about threats, attacks and vulnerabilities can be shared by trusted organizations before attacks so each organization can learn from others.

By reaching out to the trusted group during an attack, one of the partners may recognize the unusual activity and make recommendations to quash the incident quickly. Also, some larger agencies with greater resources may be able to help a smaller agency respond to attacks.

The guide provides recommendations for agencies to consider before adding coordination and information sharing to the incident response plan, including how to determine what information is shared with other organizations and consulting with legal departments.